CVE-2026-47396

PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396)

Initial Access Persistence Impact Last updated:

Detects exploitation of CVE-2026-47396, a critical authentication bypass in PraisonAI's call server component. When the CALL_SERVER_TOKEN environment variable is unset, the server exposes unauthenticated endpoints for listing, invoking, and deleting AI agents. An attacker can enumerate available agents, invoke arbitrary agent workflows, or destroy agent configurations without any credentials. CVSS 9.8 (Critical), CWE-284/CWE-306.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
PraisonAI
Versions
<= 4.6.39

Weakness (CWE)

CWE-284CWE-306

Timeline

Disclosed
May 29, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-47396 PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396)?

PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396) (CVE-2026-47396) maps to the Initial Access and Persistence and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AppServiceHTTPLogs, AzureDiagnostics. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Persistence Impact
Microsoft Sentinel / Defender
kusto 
union CommonSecurityLog, W3CIISLog, AppServiceHTTPLogs
| where TimeGenerated > ago(24h)
| where RequestURL has_any ("/agents", "/invoke", "/delete") or csUriStem has_any ("/agents", "/invoke", "/delete")
| where RequestMethod in ("GET", "POST", "DELETE") or csMethod in ("GET", "POST", "DELETE")
| where isempty(RequestHeader_Authorization) or not(RequestHeader_Authorization matches regex @"Bearer .+")
| extend SourceIP = coalesce(SourceIP, cIP)
| extend TargetURL = coalesce(RequestURL, csUriStem)
| project TimeGenerated, SourceIP, TargetURL, RequestMethod, csMethod, ResponseCode, csStatus
| summarize RequestCount = count(), Methods = make_set(coalesce(RequestMethod, csMethod)), StatusCodes = make_set(coalesce(tostring(ResponseCode), tostring(csStatus))) by SourceIP, bin(TimeGenerated, 5m)
| where RequestCount > 2
| order by RequestCount desc

Detects unauthenticated HTTP requests to PraisonAI call server agent endpoints (/agents, /invoke, /delete) lacking a Bearer token Authorization header, aggregated by source IP over 5-minute windows.

critical severity medium confidence

Data Sources

CommonSecurityLog W3CIISLog AppServiceHTTPLogs AzureDiagnostics

Required Tables

CommonSecurityLog W3CIISLog AppServiceHTTPLogs

False Positives

  • Internal health checks or monitoring probes that legitimately call agent endpoints without tokens
  • Development or staging environments where authentication is intentionally disabled
  • Load balancer or reverse proxy health checks hitting agent listing endpoints
  • Automated integration tests running against non-production PraisonAI instances

Sigma rule & cross-platform mapping

The detection logic for PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396) (CVE-2026-47396) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-47396 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-47396

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate PraisonAI agents without authentication

    Expected signal: Web server access log entry: GET /agents HTTP/1.1 from test source IP, no Authorization header, HTTP 200 response with JSON agent listing

  2. Test 2Invoke PraisonAI agent without authentication

    Expected signal: Web server access log entry: POST /invoke HTTP/1.1 from test source IP, no Authorization header, HTTP 200 or 202 response; application log showing agent invocation

  3. Test 3Delete PraisonAI agent configuration without authentication

    Expected signal: Web server access log entry: DELETE /delete HTTP/1.1 from test source IP, no Authorization header; application log showing agent deletion event

  4. Test 4Confirm CALL_SERVER_TOKEN absence in running process

    Expected signal: Process environment read via /proc/<pid>/environ; output contains no CALL_SERVER_TOKEN entry

Unlock Pro Content

Get the full detection package for CVE-2026-47396 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1485Data DestructionT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections